Sunday, March 27, 2016

As we continue this journey looking into learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit, the focus of this post allows me to get a better understanding of how I may be able to use the mimikatz tool.

In this post, metasploit usage is continued in order to leverage mimikatz.

The image below shows that first "pwd" was executed to determine the directory which we have landed in.Once we know where we are, next we created a directory named "x64" in "c:".Once the directory is completed, we next upload the mimikatz files to the x64 folder.

Now that we have uploaded the files, let's "execute" mimikatz from the meterpreter

Looks like it uploaded successfully! Let's verify that we are good to go.

Still looks good! Moving on!!

Let's look at the logon passwords for this sessions using the command "sekurlsa::logonPasswords"

From the image above, we see a plethora of information has been provided to us. For the account with username "administrator" we see among the information, the "Logon Time", the LM, NTLM and SHA1 hash of the administrator account password. Most importantly, we see also that we were provided with the clear text password "Testing1". This is good stuff.

What else can we get, let's figure it out or obtain.

Above shows that we can export the private and public key for administrator's certificate. While I executed this command, I did not see the files created. However, I later tested this directly on the Windows 2008 box and it worked. See this postAlternatively we could have exported the key associated with administrator account.Anything more?! Let's try looking at any Kerberos ticket association with the logon user.From below we see there is one.OK! There is a lot more to be learnt about mimikatz. So in the next post I will take a look at the pass the ticket vulnerability. I'm very interested in this as pass the hash still exist and I'm verry much aware of this. However, the pass the ticket is what I'm interested in at this time.

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis